On Mon, 26 Nov 2001, Jani Jaakkola wrote:
> At least on RedHat, the default pam-installations creates these two
> suid-binaries:
>
> -r-sr-xr-x 1 root root 15088 Nov 9 18:30 /sbin/pwdb_chkpwd*
> -r-sr-xr-x 1 root root 16824 Nov 9 18:30 /sbin/unix_chkpwd*
>
> which are "authentication proxies" used by pam_pwdb and pam_unix.
I have them as well (though on Suse they are set setgid shadow instead).
I did not figure they were supposed to be used by pam_unix, and
apparently my pam_unix does not try to use them.
The application in question is postgres; I have a single entry in
/etc/pam.d/postgresql:
auth required /lib/security/pam_unix.so
(Replacing this with pam_permit.so allows me to connect to the database
without trouble, so pam auth itself appears to be working).
Tracing the postmaster child process during login shows:
[pid 12696] open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied)
[pid 12696] send(8, "R\0\0\0\3", 5, 0) = 5
[pid 12696] recv(8, "\0", 1, MSG_PEEK) = 1
[pid 12696] recv(8, "\0\0\0\10foo\0", 8192, 0) = 8
[pid 12696] write(2, "CheckPAMAuth: pam_acct_mgmt fail"..., 61) = 61
[pid 12696] write(2, "FATAL 1: PAM authentication fai"..., 55) = 55
[pid 12696] send(8, "EFATAL 1: PAM authentication fa"..., 57, 0) = 57
I did not discover any reference to /sbin/unix_chkpwd in the trace -- no stat,
no fork & exec.
PAM version is 0.74 (as shipped with Suse 7.2)
I am kind of lost here. Is there anything else I have to setup so pam_unix
will call unix_chkpwd?
Best regards
--
Helge Bahmann <bahmann@math.tu-freiberg.de> /| \__
Network admin, systems programmer /_|____\
_/\ | __)
$ ./configure \\ \|__/__|
checking whether build environment is sane... yes \\/___/ |
checking for AIX... no (we already did this) |
